SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

In a recent criminal case the defendant admitted he was under the influence at the time of arrest. However, the prosecutor overreached, charging the defendant with attempted kidnapping. According to the defendant, an officer took statements at the scene using mobile recording equipment. These recordings were said to contain exculpatory evidence.

photo courtesy of justinbaeder at flickr.com

The defense wanted to review the statements taken at the scene, but law enforcement could not produce them. Conflicting testimony was given about whether the recordings had ever been made so a judge agreed that an expert could investigate.

Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.

Before moving systems into production, grab a copy of Jesse Kornblum'sMD5Deep from http://md5deep.sourceforce.net and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.